feat: allow by default if none of the permission is evaluated"

internal/proxy/middleware/authz/authz.go

@@ -219,7 +219,7 @@ func (c *Authz) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		permissionAttributes[key] = value
 	}
 
-	isAuthorized := false
+	isAuthorized := true
 	for _, permission := range config.Permissions {
 		c.log.Info("checking permission", "permission", permission.Name)
 		if !permission.Expression.IsEmpty() {

test/e2e_test/smoke/proxy_test.go

@@ -184,6 +184,38 @@ func (s *EndToEndProxySmokeTestSuite) TestProxyToEchoServer() {
 		s.Assert().Equal(401, res.StatusCode)
 	})
 
+	s.Run("permission expression: if none of the permission is evaluated, user shall be authenticated", func() {
+		groupDetail, err := s.client.GetGroup(context.Background(), &shieldv1beta1.GetGroupRequest{Id: s.groupID})
+		s.Require().NoError(err)
+
+		url := fmt.Sprintf("http://localhost:%d/api/create_firehose_based_on_sink", s.appConfig.Proxy.Services[0].Port)
+		reqBodyMap := map[string]any{
+			"project":      s.projID,
+			"name":         "test-resource-group-slug",
+			"group_slug":   groupDetail.GetGroup().GetSlug(),
+			"organization": s.orgID,
+			"configs": map[string]any{
+				"env_vars": map[string]any{
+					"SINK_TYPE": "log",
+				},
+			},
+		}
+		reqBodyBytes, err := json.Marshal(reqBodyMap)
+		s.Require().NoError(err)
+
+		req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqBodyBytes))
+		s.Require().NoError(err)
+
+		req.Header.Set(testbench.IdentityHeader, "[email protected]")
+
+		res, err := http.DefaultClient.Do(req)
+		s.Require().NoError(err)
+
+		defer res.Body.Close()
+		fmt.Println("BODY", res)
+		s.Assert().Equal(200, res.StatusCode)
+	})
+
 	s.Run("resource created on echo server should persist in shieldDB when using group slug", func() {
 		groupDetail, err := s.client.GetGroup(context.Background(), &shieldv1beta1.GetGroupRequest{Id: s.groupID})
 		s.Require().NoError(err)